Using WordPress? Install Better WP Security to See How Many People are Trying to Break Into Your Site

I’m writing an article for work about WordPress security. Part of the process is trying different WordPress security plugins. One of the plugins I tried it Better WP Security, a Swiss army knife of security tools. One of its features is to log failed attempts to log into the WordPress backend.

Better WP Security Failed Logins Log

50 failed logins to the administrator account in 6 hours – Click to Enlarge

It turns out I’m getting hundreds of login attempts every day from people trying to guess the administrator password. That’s a bad thing.

A couple of things you can do if people are trying to log into your site:

  • Make sure you’re using a strong password.
  • Change the administrator account to something other than the default of “admin.” It’s under the User tab in Better WP Security. All of the failed logins for my site are for the “admin” username.
  • Turn off verbose login error messages (Remove WordPress Login Error Messages under Tweaks tab). By default, WordPress tells people whether their login failed because the username was bad or the password was bad. With this option off they won’t know which part of the login was incorrect. Let them think they should keep trying to get in with “admin.”
  • Enable login limits (Log tab). Users who give bad login credentials x number of times in y time period will be locked out of the site for z minutes. Optionally you can block IP addresses after a certain number of lockouts. You can opt to be notified by email when lockouts occur. The emails include the person’s IP address, which the log screen doesn’t. On my site about 50% of bad logins are from China, 30% are from Russia, and 20% are scattered all over the world.

4 Responses to Using WordPress? Install Better WP Security to See How Many People are Trying to Break Into Your Site

  1. Mike S says:

    Excellent tip! I’m going to install it all over the place.

  2. Pingback: SayUncle » Busy Bees

  3. unknown reader says:

    A while back, there was a guy who set up honey traps for crackers/hackers/spammers etc.

    His technique was to partially accept the hacker’s attempt, then wait until the timeout was almost expired before he sent back the failure message. This accomplishes two things: it ties up the sender’s computer and comm channel for more time, costing the hacker valuable resources, and it prevents the sender from making another attempt on his computer, or any other, until the timeout expires.

    His technique must have been successful since his site was bombarded with DDOS attacks, as well as every site he tried to port to. Sort of a hacker hecklers veto.

  4. MJM says:

    Thanks, Les